Cybersecurity concerns in wealth management are evolving rapidly, with AI-powered threats more convincing—and more dangerous—than ever. Advisors must pair strong internal security with proactive client education.

Cyber threats are becoming increasingly common within the wealth management industry, including AI-generated deepfakes that could dupe clients into unwittingly sending away their nest egg.

Indeed, 68% of asset managers and 62% of wealth managers surveyed by Milwaukee-based consulting and accounting firm Wipfli said that cybersecurity is a major concern for their businesses in 2026—the third consecutive year it ranked as a top priority in the firm’s annual survey.

“We’re living in a digital world,” said Robert Zondag, a partner at Wipfli, in the firm’s report. “For most firms, the place where business gets done is now online. Client relationships extend across digital channels, from onboarding and portfolio reviews to secure document sharing and communication. Even if client relationships are human and personal, every interaction, transaction and record is captured in a digital environment.”

Artificial intelligence is amplifying cybersecurity risk through social engineering, using AI-generated audio and video deepfakes, fake IDs, and other fabricated documents, added Matt Sabo, a director at Wipfli, in the report. While most wealth management firms have implemented cybersecurity measures, threats constantly evolve, leaving many firms facing “protocol fatigue.”

“People know what they should be doing, but the constant vigilance can wear them down,” Sabo said. “The challenge is maintaining discipline and focus, not just on the perimeter, but at the edges where cyber events are most likely to occur.”

Source: “The state of the wealth management industry 2026,” Wipfli

We asked cybersecurity experts and financial advisors how they improve internal security and help clients recognize the latest scams, including AI-driven deepfakes.

How advisors can protect their internal systems

Financial advisors must approach data security from both a technical and human standpoint, says Roberta Duffield, vice president of intelligence at Blackbird.AI, based in New York City.​

On the technical side, this includes implementing strong access controls, such as multi-factor authentication, encrypting sensitive data, and continuously monitoring for anomalous behavior within their systems, Duffield says.

“Advisors should also follow the principle of least privilege—ensuring employees have access only to the data necessary for their roles—and regularly audit those permissions,” she says.

Equally important is the human layer, as many breaches originate from social engineering rather than system failures, Duffield says. Firms should invest in training to help employees recognize phishing attempts, impersonation tactics, and suspicious requests that appear to come from clients or senior leadership. Clear internal verification protocols are critical guardrails.

“Financial advisors should also assume breaches and fraud attempts will happen, and prepare accordingly,” she says. “This means proactively formulating incident response plans, clear escalation paths, and client communication strategies before a crisis occurs.”

Minimizing the amount of data stored is another key cybersecurity practice, says Jacob W. Anderson, president of Beyond Ordinary Software Solutions, based in San Diego, California. ​

“I hope they’re not using Excel spreadsheets anymore—but the tool that they use needs to be encrypted so people can’t just steal the database and access all kinds of data,” Anderson says. “It’s not your data. It’s somebody else’s. You’re just borrowing the right to access it.”

As the trusted administrator, the advisor needs more than one method of authentication to gain access, which is why multi-factor authentication is so critical, he says. Advisors should also make sure their vendors stay up to date with the latest cybersecurity toolkits, such as OpenSSL, and use cryptographic methods.

“Then there need to be avenues of recovery so that users can have their data removed when they are no longer a client of that financial advisor,” Anderson says.

How two advisory firms approach cybersecurity

Libertas Wealth Management Group in Columbus, Ohio, relies on secure custodial platforms with separate codes that live on only one other device—each advisor’s personal phone, says the firm’s president and senior financial advisor, Adam Koos, CFP, CMT, CEPA. The firm has also implemented encrypted systems, multi-factor authentication, and strict internal access controls.​

Libertas uses software such as Citrix ShareFile within emails and encryption keys for portfolio management software, Koos says. The firm also monitors the market for any potential upgrades with the help of its IT provider, Singlesource IT.

“As a true fiduciary firm, we view cybersecurity similarly—as a fiduciary responsibility, not just a technology issue,” he says. “We also focus on process, which is hugely important to me.”

Sensitive information is only accessible to employees who truly need it, and permissions are reviewed regularly, Koos says. Libertas also works closely with its vendors to ensure their security standards meet or exceed its own.

“It’s a layered approach, not a single solution,” he says.

For Anjali Jariwala, CFP, principal at FIT Advisors in Redondo Beach, California, protecting client data is a top priority, given the firm’s access to clients’ sensitive data and information.

FIT Advisors uses two-factor authentication, typically through an authenticator app, on all platforms and websites that handle sensitive information, Jariwala says. The firm also uses a secure password manager and encourages clients to do the same.

“Our main custodian is Schwab, which puts extra parameters in place to ensure money is kept safe,” she says. “Finally, we require clients to upload all documents using a secure file-sharing system.”

Educating clients on how to protect themselves

Today’s most effective scams often rely less on technical hacking and more on psychological manipulation, Duffield says. These threats may be amplified by AI, which creates new risk vectors and significantly increases their effectiveness.

How scammers target elderly clients

“Elderly people are frequently targeted because scammers believe they may have accumulated significant assets, be less familiar with newer technologies, or be more socially isolated,” she says.

Common examples include highly personalized phishing emails or text messages that appear to come from a known institution, advisor, or even a family member, Duffield says. These operations are often supported by underground markets where personal data, voice samples, and scam scripts are bought and sold, allowing attackers to tailor their approach convincingly.

Relationship and romance scams are particularly common, she says. These involve long-term emotional manipulation initiated online or over text messaging, in which the victim believes they are in a romantic relationship with the scammer. Trust is built gradually before the scammer makes financial requests of the victim, often framed as emergencies, medical needs, or investment opportunities.

Another common tactic is the “grandparent” or family-emergency impersonation scam, which uses AI-generated voice cloning, Duffield says. Victims may receive a call that sounds exactly like a grandchild or loved one in distress, asking for immediate financial help, such as medical or legal fees.

AI-generated deepfakes are a particularly concerning threat, taking the exploitation of cognitive biases to “a whole new level,” she says.

“Imagine receiving a phone call from a voice that sounds exactly like a family member asking for urgent financial help to get out of jail, rather than an unknown lawyer,” Duffield says. “It is easy to assume that you would never fall for an AI impersonation of a loved one, but when faced with a high-pressure, high-stakes situation, our brains go into panic mode.”

Even a low-quality deepfake can be enough to convince a victim that they must act quickly when they are too disoriented to think clearly, she says. Highly targeted deepfakes are still relatively new but are increasingly being used in sophisticated scam operations.

“Advisors can play a critical role by encouraging trusted-contact arrangements, normalizing conversations about scams, and reinforcing that pausing to verify is always acceptable,” Duffield says.​

Why business owners face elevated cyber risks

Business owners are attractive targets because they regularly authorize payments, manage vendors, and interact with financial and legal professionals, Duffield says. Business email compromise is a common tactic in which scammers impersonate executives, vendors, or legal counsel to request wire transfers or changes to payment details. These messages often mirror real communication styles and timing, making them difficult to spot.

Scammers also target business owners with fake regulatory notices, tax issues, or legal threats designed to trigger fear of penalties or reputational harm, Duffield says. AI-generated emails and documents can make these communications appear highly professional and legitimate.

“Advisors should encourage business clients to establish strict verification processes for financial requests—especially those involving urgency or changes to existing arrangements—and to separate decision-making authority where possible,” she says.

How advisors can help clients recognize and avoid scams

When it comes to educating clients about the latest scams, advisors should remind clients to always “think twice,” Anderson says.

“If they get an email, give it a little pause, make sure it makes sense,” he says. “If they have any doubt, ask somebody else to make sure that it seems reasonable.”

There are also technical steps clients can take to help determine whether that email is bona fide, Anderson says. They could look at the email headers to see where it came from and check for suspicious domains, such as those ending in “.ru.” If anything seems out of the ordinary, clients should avoid responding or even opening it.

“I personally configure my emails to display only text, getting rid of HTML or anything like that,” he says. “Once you do that, you’ll be able to spot the scam emails really fast. The advent of rich text email was the start of most of these email exploit campaigns because it made it easy to hide stuff.”

With AI-generated deepfake phone calls, it’s very easy to fool people because audio quality over the phone is limited, Anderson says. Fraudsters can mask inconsistencies to make a voice sound familiar.

Advisors should remind clients that if they receive a phone call that seems the least bit suspicious, they should always tell the caller they will call them right back using a number they know, he says.

“Even if the caller really needs $50,000, they can wait a moment for the client to call them back,” Anderson says. “Advisors should tell their clients to think twice, consider the moment, and not let their feelings overwhelm them.”

Turning awareness into action with clients

At FIT Advisors, Jariwala sends clients detailed emails outlining how they can protect themselves, especially their credit.

“I advise clients to implement credit freezes, credit freezes for children, credit monitoring services, and more,” she says. “I educate them on utilizing password managers with strong passwords and multi-factor authentication to reduce the risk of false logins.”

Koos and his team at Libertas will occasionally see phishing attempts in their own inboxes that could easily end up in a client’s as well. The spam emails are often well crafted and difficult to detect, so the firm notifies clients, business partners, and its IT provider so they can watch out for them as well.

“With our clients, we regularly talk about phishing emails, spoofed phone calls, and messages designed to create urgency or fear,” he says. “We emphasize that most fraud today isn’t technical—it’s psychological. So we reinforce a simple rule: If something feels rushed, unusual, or out of character, slow down and call us first.”

The risks are different depending on the client, and Koos and his team tailor the conversation accordingly. For retirees, they emphasize verification and trusted contacts. For business owners, the focus is on processes, controls, and ensuring no money moves without proper confirmation.

“AI is no joke—it’s the real deal, so that’s why we stress that no financial request should ever be acted on without secondary verification through a known, trusted channel,” Koos says.

Trades should only be confirmed over the phone, not through email, and everyone needs to stay vigilant and skeptical—regardless of how real a communication might appear, he says.

“In my opinion, cybersecurity is as much about people and habits as it is about technology,” Koos says. “The strongest defenses come from good systems combined with informed clients—and a culture where it’s OK to slow things down and ask questions.”

The opinions expressed in this article are those of the author and the sources cited and do not necessarily represent the views of Proactive Advisor Magazine. This material is presented for educational purposes only.

CFP and Certified Financial Planner are registered trademarks of the Certified Financial Planner Board of Standards Inc. (CFP Board). CMT and Chartered Market Technician are registered trademarks of the CMT Association.